Vendor Management: SSAE 18 Presented by Joseph Kirkpatrick CISSP, CISA, CGEIT, CRISC, QSA Managing Partner
Audio Handouts Questions
Welcome Joseph Kirkpatrick is the Managing Partner at KirkpatrickPrice and holds the CISSP, CISA, CGEIT, CRISC, and QSA cer?fica?ons, specializing in data security, IT governance, and regulatory compliance. He enjoys helping our clients and stakeholders by naviga?ng them through the complex maze of compliance and regulatory requirements. 3
4
Overview Moving to SSAE 18 How Service Organiza?ons affect Financial Ins?tu?ons Internal Controls over Financial Repor?ng Using the SSAE 18 for Vendor Management 5
SSAE 18 became effec?ve May 1, 2018 Why the change? Convergence with interna?onal standards Simplifica?on 6
Convergence The Audi?ng Standards Board (ASB) seeks to converge its standards with those of the Interna?onal Audi?ng and Assurance Standards Board (IAASB) The corresponding Interna?onal Statement on A`esta?on Engagements (ISAE) is the ISAE 3000 7
Simplifica?on The a`esta?on (AT) sec?on of the AICPA Professional Standards contains standards for Cer?fied Public Accountants (CPA) to affirm an asser?on to be true, using objec?vity and skep?cism These AT sec?ons are issued in the form of Statements on Standards for A`esta?on Engagements (SSAE) 8
Simplifica?on The following AT sec?ons are being codified into one SSAE AT sec. 20 AT sec. 50 AT sec. 101 (SOC 2) AT sec. 201 AT sec. 301 AT sec. 401 AT sec. 601 AT sec. 701 AT sec. 801 (SOC 1/SSAE 16) 9
SSAE No. 18 AT-C sec. 105 (SOC 1 and SOC 2) Concepts Common to All A`esta?on Engagements AT-C sec. 205 (SOC 1 and SOC 2) Examina?on Engagements AT-C sec. 210 Review Engagements AT-C sec. 215 Agreed-Upon Procedures Engagement AT-C sec. 305 Prospec?ve Financial Informa?on AT-C sec. 310 Repor?ng on Pro Forma Financial Informa?on AT-C sec. 315 Compliance A`esta?on AT-C sec. 320 (SOC 1) Repor?ng on an Examina?on of Controls at a Service Organiza?on Relevant to User En??es Internal Control Over Financial Repor?ng AT-C sec. 395 Management s Discussion and Analysis 10
SSAE No. 18 AT-C sec. 205 (SOC 1, SOC 2, CSA) Examina?on Engagements AT-C sec. 320 (SOC 1) Repor?ng on an Examina?on of Controls at a Service Organiza?on Relevant to User En??es Internal Control Over Financial Repor?ng 11
How do Service Organiza?ons affect Financial Ins?tu?ons? Data Processor Deposit/Loan Plajorm Data Center Payroll Provider Annual Report Print Provider Document Management Services Cloud Backup Provider 12
How do Service Organiza?ons affect Financial Ins?tu?ons? What is the Financial Ins?tu?on s responsibility? Assess Risk Determine Risk Implement Risk Management 13
How do Service Organiza?ons affect Financial Ins?tu?ons? FFIEC Examina?on Handbook Review audit and consultant reports, management's responses, and problem tracking systems to iden?fy poten?al issues for examina?on follow-up. Possible sources include Internal and external audit reports and A`esta?on Report (e.g. SSAE-16) and other reviews for service providers Security reviews/evalua?ons from internal risk review or external consultants (includes vulnerability and penetra?on tes?ng) Findings from GLBA security and control tests and annual GLBA reports to the board. 14
How do Service Organiza?ons affect Financial Ins?tu?ons? ICFR enhances the reliability of financial statements by reducing the risk of material errors or misstatements. Financial repor?ng controls are designed to provide reasonable assurance that the ins?tu?on s financial statements are reliable and prepared in accordance with generally accepted accoun?ng principles. Confiden?ality Integrity Availability 15
How do Service Organiza?ons affect Financial Ins?tu?ons? Data Processor Deposit/Loan Plajorm Data Center Payroll Provider Annual Report Print Provider Document Management Services Cloud Backup Provider 16
SSAE No. 18 AT-C Sec. 320 Beginning with reports issued as of May 1, 2017 17
Service Organiza?on Control (SOC) Reports SOC 1 Type I, as of a date Type II, through an audit period SOC 2 Type I, as of a date Type II, through an audit period 18
Evalua?ng Service Organiza?on Controls How reasonable are the controls and the corresponding tests? 19
Control Objec?ves 20
Commonly Omi`ed Controls Be on the lookout for: Applica?on Development Configura?on Management Encryp?on Methodologies Log Management Vendor Management 21
New for the SSAE 18 AT-C Sec 320 Monitoring the Effec?veness of Controls at Subservice Organiza?ons 22
Subservice Organiza?ons Includes some combina?on of ongoing monitoring to determine that poten?al issues are iden?fied?mely and separate evalua0ons to determine that the effec?veness of internal control is maintained over?me. 23
Ongoing Monitoring Reviewing and reconciling output reports Holding periodic discussions with the subservice organiza?on Making regular site visits to the subservice organiza?on 24
Ongoing Monitoring Tes?ng controls at the subservice organiza?on by members of the service organiza?on s internal audit func?on Reviewing Type I or Type II reports on the subservice organiza?on s system Monitoring external communica?ons, such as customer complaints relevant to the services by the subservice organiza?on 25
Using the SSAE 18 for Monitoring Vendors Developing a fiduciary mindset with your vendors Annual Reviews Ongoing Performance Reports Site Visits 26
Using the SSAE 18 for Monitoring Vendors Implement processes for monitoring cri?cal controls Vulnerability Releases Incident Reports Technology Changes 27
Vendor Compliance Management Use the Online Audit Manager to ask ques?ons of your vendors Hire our specialized resources to perform site visits with your cri?cal vendors Access our webinar recordings for several topics dealing with vendor compliance management 28
OnlineAuditManager.co m 29
Ques?ons? For further informa?on, contact: Joseph Kirkpatrick joseph@kirkpatrickprice.com 30
31
32
Joseph Kirkpatrick joseph@kirkpatrickprice.com www.cbancnetwork.com/education